ldap auth through saslauthd through cyrus
Hello, I have a working installation of cyrus-imapd-2.3.7 on CentOS 5 and now I'm trying to apply the configuration to 2.4.9 on Ubuntu 11.10. I have a setup with virtualdomains, ie. I'm using userp...@domain.com to login. Tests with testsaslauthd like testsaslauthd -u userp...@domain.com -p 123456 work fine: 0: OK Success. But logging in through POP3 results in this line in syslog: cyrus/pop3[20085]: badlogin: [10.0.1.71] plaintext userp...@domain.com SASL(-13): authentication failure: checkpass failed I'm using cleartext logins and the important parts of imapd.conf look like this: allowapop: no sasl_mech_list: PLAIN virtdomains: userid sasl_pwcheck_method: saslauthd How can I get more verbose output? Is there a separate saslauthd logfile so I can see what cyrus is actually sending to it? I'm afraid cyrus doesn't use the full email address to login but just userpart. But how can I check or fix that? I can under now circumstances specify thousands of domains als allowed realms. Kind regards Marten Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: ldap auth through saslauthd through cyrus
On Tue, 2012-01-03 at 22:22 +0100, Marten Lehmann wrote: snip But logging in through POP3 results in this line in syslog: cyrus/pop3[20085]: badlogin: [10.0.1.71] plaintext userp...@domain.com SASL(-13): authentication failure: checkpass failed hi marten, i am assuming that you are running saslauthd with the -r argument -- something like: saslauthd -a ldap -O/etc/saslauthd.conf -r i usually saslauthd in the foreground so i can watch what is going on ... cheers m Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
Re: ldap auth through saslauthd through cyrus
Hello, i am assuming that you are running saslauthd with the -r argument -- something like: saslauthd -a ldap -O/etc/saslauthd.conf -r actually I did not, but thanks for pointing me on that! I noticed before in /var/log/auth, that username and realm have been splitted, so that the username didn't contain the full email address and thus the LDAP lookup failed: saslauthd[19326]: Entry not found ((cn=userpart)). saslauthd[19326]: Authentication failed for userpart/domain.com: User not found (-6) saslauthd[19326]: do_auth : auth failure: [user=userpart] [service=imap] [realm=domain.com] [mech=ldap] [reason=Unknown] But I thought that it is an issue how cyrus passes the values to saslauthd but actually it depends on how saslauthd treats the values it receives. So the -r parameter was just right: Combine the realm with the login (with an '@' sign in between). e.g. login: foo realm: bar will get passed as login: foo@bar. Note that the realm will still be passed, which may lead to unexpected behaviour. Thanks! Kind regards Marten Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/